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We consider the security of the BB84, six-state and SARG04 quantum key distribution protocols 
when the eavesdropper doesn't have access to a quantum memory. In this case, Eve's most general 
strategy is to measure her ancilla with an appropriate POVM designed to take advantage of the 
post-measurement information that will be released during the sifting phase of the protocol. After 
an optimization on all the parameters accessible to Eve, our method provides us with new bounds 
for the security of six-state and SARG04 against a memoryless adversary. In particular, for the 
six-state protocol we show that the maximum QBER for which a secure key can be extracted is 
increased from 12.6% (for collective attacks) to 20.4% with the memoryless assumption. 



I. INTRODUCTION 

Following the invention of quantum key distribution 
(QKD) and of its first protocol [ 1], a central issue in 
QKD theory has been to find sets of assumptions under 
which formal security proofs could be derived. In this 
perspective, since Alice and Bob act as honest players, 
only the unpredictable behavior of the attacker Eve 
remains to be captured. Defining a security model thus 
essentially reduces to making simplifying assumptions 
allowing to bound the attacking capabilities of Eve. 
However, for a security model to be of interest, it also 
needs to fulfill several additional constraints and in 
particular to allow a tractable derivation of security 
proofs while presenting a level of generality ideally as 
large as possible. 

Intercept-resend (IR) attacks [2], are arguably the 
simplest and the first attacks that have been considered 
[ ]. In this security model, Eve has in particular no 
quantum memory and her strategy consists in making an 
immediate measurement on a fraction of the individual 
quantum states sent by Alice, and then to resend to Bob, 
for each individual measurement, the quantum state cor- 
responding to the eigenstate of her measurement result. 
IR attacks can be optimized [3] and have the notable 
interest of being implementable with current technology 
[4, ~>] since Eve is essentially playing a role similar to Bob. 

IR attacks are however not very general and proving 
the security of QKD within stronger security models has 
rapidly attracted most of the attention of researchers. 
This has been especially true concerning the search for 
an unconditional security proof of QKD, i.e. a proof 
valid against the most general quantum attacker. The 
important theoretical efforts that have been invested in 
this direction however proved that this was not easy, 
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and if BB84 [6-8] and several other QKD protocols 
[ )-12] have been proven secure against the most general 
quantum attacker, it is however not the case yet for most 
protocols. For this reason, weaker security models, that 
dates back from the initial categorization of security 
proofs [ ], namely individual attacks and collective 
attacks still play key roles as security models in QKD 
and that have an important feature in common: they 
rely on the assumption that Eve is in possession of a 
quantum memory. 

The assumption about the availability of a quantum 
memory can however be challenged in practice. Recent 
results on implementations of quantum memory [13, 14] 
confirm that it is still technologically very hard to design 
and build a reliable one: more precisely a high fidelity 
quantum memory with an arbitrary long storage time 
doesn't exist yet. In the case of QKD, it is therefore 
reasonable in a realistic setting to consider the adversary 
to be memoryless: indeed, the honest participants 
don't need a quantum memory to perform a QKD 
protocol, so that they can always wait long enough for 
the eavesdropper memory to be completely noisy and 
useless. Studying the security of a QKD protocol in 
the memoryless adversary model is moreover useful to 
quantitatively assess the influence of the "memoryless 
assumption" . As explained above, this assumption is 
realistic from a technological point of view but neverthe- 
less leads to weakening the security model with respect 
to individual attacks and of course stronger attacks. 
The explicit derivation of the secure key rate under 
the optimal memoryless attack allows to evaluate what 
can be seen as a "memoryless trade-off", namely the 
performance gain versus the weakening of the security 
model. 

Despite this practical interest, academic works on the 
subject are scarce. Since most of QKD security proofs 
have so far been conducted under one of the main secu- 
rity models (individual, collective and coherent attacks), 
it was always assumed that Eve had a quantum memory 
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and memoryless attacks on QKD have not been studied 
widely. For the case of the six-state [15] and SARG04 
protocols [16], the optimal memoryless attacks have not 
been studied to our knowledge. For the BB84 protocol, 
one of the analyses on the subject [17] studied the optimal 
POVM that Eve could use to measure the qubit flying 
from Alice to Bob and found that a key could no longer 
be extracted for a QBER greater than 15.4% against a 
memoryless adversary. In our work, we confirm the op- 
timality of this previously known bound on BB84 and 
provide new tight bounds for the security of the six-state 
and SARG04 protocols against a memoryless adversary. 

After a short description of the QKD protocol con- 
sidered, we discuss the construction of the attack model. 
We then compute the secret key rate and optimize it over 
all parameters before applying the method to the BB84, 
six-state and SARG04 QKD protocols. 



Alice uses a random number generator to prepare a quan- 
tum state. This scheme doesn't require Alice and Bob to 
have a quantum memory and can be easily implemented 
with today's technology [18]. It is possible to trans- 
form this protocol in an entangled-based (EB) scheme 
whose security is easier to prove but which requires Al- 
ice and Bob to have a quantum memory: instead of 
randomly choosing the bits x and b to encode the in- 
formation in \<j>), Alice can prepare an entangled state 
\$) AB = S e n d half of the state to 

Bob and finally measure her half in the basis b to get 
the key string x: after this operation is repeated n times, 
Bob holds the state \<f>) in his laboratory. Clearly this 
transformation makes the protocol much harder to im- 
plement but the security of the EB scheme implies the 
security of the easier to implement P&M scheme [19]. 



II. DESCRIPTION OF THE PROTOCOL 

To avoid the use of unnecessarily complicated nota- 
tions, we describe our attack by using the BB84 protocol 
with forward reconciliation [ ]. The generalization of 
the attack to the six-state and SARG04 protocols is then 
straightforward as explained in section VI. Alice and Bob 
have access to a quantum channel and a classical authen- 
ticated channel. The protocol can be decomposed in 4 
steps: 

1. Preparation: For n £ N, Alice chooses randomly 
x n = (x%, .., x n ) £ {0, 1}™ which represents the raw 
key, 0™ = (0i, ..,0„) £ {0, l} n which represents the 
basis, and she prepares the state \<j> n ) = H e \x n ) 
before sending it to Bob who measures the state in 
a random basis. The output of his measurement is 
y n = ( yi ,..,y n )£{0,l} n . 

2. Sifting: Alice and Bob publicly announce their 
choice of basis and discard the instances where the 
basis disagree. For simplicity (but without loss of 
generality) we forget the bits when the bases dis- 
agree. The resulting sifted raw keys are x n and 
y n . Alice and Bob then use a small amount of raw 
key to estimate the QBER: if it is below a certain 
value they decide to resume the protocol, or else 
they abort it. 

3. Error correction: Based on the value of the 
QBER, Alice computes an error correction message 
I ec and sends it to Bob. Bob recovers x n based on 
y n and on the information provided by Alice I ec . 

4. Privacy amplification: Alice and Bob use a two- 
universal hashing function to transform their infor- 
mation x n into a key of size I. 

The preparation step in the protocol is described above 
corresponds to a Prepare- and- Measure (P&M) scheme: 



III. DESCRIPTION OF THE ATTACK MODEL 

We consider the most general actions Eve can perform 
to gain information with the restriction that she doesn't 
have a quantum memory. During the preparation phase, 
Eve is allowed to let an ancilla interact with the qubit 
flying from Alice to Bob and to measure this ancilla im- 
mediately after the interaction with an arbitrary POVM. 
If U is the unitary interaction applied by Eve to the sys- 
tem, the attack can be represented by the quantum cir- 
cuit presented in FIG. 1. After the interaction, Eve's 
ancilla is entangled to the flying qubit and the statistics 
of any measurement performed on the ancilla can be cor- 
related to the raw key shared by Alice and Bob. Based 
on the classical information obtained from the measure- 
ment and the basis information received afterwards, 
Eve computes a guess on the raw key bit shared by Alice 
and Bob. The computation of the probability that her 
guess is correct is done in the next part of the article. 
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FIG. 1. Quantum circuit representing Eve's attack in the 
P&M scheme of the BB84 protocol 



The attack represented in the P&M scheme on FIG. 
1 can also be described in the equivalent EB scheme. 
In this case, Alice initially prepares a pure state 1$)^ 
and sends one half to Bob through the quantum chan- 
nel. After the interaction with Eve (or equivalently, the 
action of the quantum channel), Alice and Bob share 
a mixed state p AB = E(\$){$\ AB ) = Tr E |*) (^\ ABE 
where \^) ABE is a purification of this state. Eve can 
perform a measurement on her part of the purification 
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Pe = Tr^s \ty) (^\abe t° S am some information on the 
secret bit shared by Alice and Bob. We write X, Y and 
K the random variables representing the results of the 
measurements performed by Alice, Bob and Eve on their 
part of the purification \^) abe- 

IV. COMPUTATION OF THE SECRET KEY 
RATE 



where A(x) = — xlog 2 (x). The conditional probabilities 
used in these formulas will be computed in the next 
section. 

Finally we compute the secret key rate r — l/n that 
can be extracted from the protocol: 

r=l-h(Q)- max [H(K\G) - H(K\XG)]. (6) 

strategies 



In our model, Eve doesn't have a quantum memory 
and must therefore measure immediately after the inter- 
action the ancilla used in the attack. This means that 
at the beginning of the classical post-processing of the 
protocol, Alice, Bob and Eve share a classical probabil- 
ity distribution. The size I of the secret key that can be 
extracted after the privacy amplification is given by the 
Csiszar and Korner bound [20] 

I = I A b - max I AE (1) 

strategies 

= n[I(X : Y) - max I(X : KG)], 

strategies 

where Iab is the mutual informations between Alice and 
Bob and max I ae is the maximization on all the eaves- 
dropping strategies of the mutual information between 
Alice and Eve. 

When Eve interacts with the flying qubit she alters it 
in a way that generates some errors in Bob's string. This 
perturbation is described by the quantum bit error rate 
Q measured by Alice and Bob. For a given QBER Q, the 
mutual information between Alice's and Bob's bit string 
is given by the capacity of the binary symmetric channel 

I(X : Y) = H{X) - H(X\Y) = 1 - h(Q), (2) 

where h(p) = — plog 2 p— (1— p)log 2 (1 — p) is the binary 
entropy. 

We now compute Iae, the mutual information between 
Alice and Eve. After the reconciliation phase, Eve has 
access to the result of her measurement K and to the 
basis information to guess the value of Alice's bit. We 
can then write that 

I(X:KQ) = H(X) + H(KQ)-H(XKQ) (3) 
= 1 + H(K\Q) + H(G) - H(K\XG) - H(XG) 
= H(K\Q) - H(K\XQ) 

where we used the fact that X and are independent so 
that H(X\Q) = H(X) = 1. We can then compute the 
conditional entropies: 

H{K\XQ) = J2p( X = x,& = 0).H(K\X = x,G = 6) 

x,8 

= i^A[p(^ = fc|X = x,e = e)] (4) 

k,x,e 

and H(K\Q) = ± £ A\p(K = fc|6 = 6)} (5) 

k,e 



V. OPTIMIZATION OF EVE'S ATTACK 

For a given QBER that Eve allows herself to create on 
the channel between Alice and Bob, we want to maxi- 
mize Iae over all possible interactions £ and all possible 
POVMs with the restriction that she doesn't use a quan- 
tum memory. To optimize Iae, we need in all generality 
to take into account two elements: 

• For each target QBER, we need to consider all the 
possible interactions U that Eve can do. Equiva- 
lently in the EB scheme we need to consider all the 
purifications compatible with this QBER. 

• We also need to consider all the measurements that 
can be done on Eve's part of the purification. 

A. Computation of the purification \^abe) 

In the entangled based scheme of BB84, Alice prepares 
an EPR state p° AB = |$+) ($+| (where |$+) = |00> v g 11> 

is a Bell state) and sends one half to Bob. Due to Eve's 
action during the transmission, Alice and Bob now hold 
a noisy version of p AB that we denote by pab — £{Pab)- 
Following [19], the security of BB84 can be studied with- 
out loss of generality on attacks for which the state pab 
is Bell diagonal. We can write 

Pab = a |$+) ($+| +0 \<S>-) 1 + 

7 |#+}($+ 1 +8 |#->(tf- j (7) 
with a + (3 + j + 5=l, 

where |$±> = and |*±> = . 

During the protocol, Alice and Bob use a small fraction 
of the raw key to estimate the QBER of their channel. 
Let Qq and Q\ be the QBER measured by Alice and Bob 
when they measure in {|0) , |1)} and {|+) , |— )} respec- 
tively. We can write the relation between Qq, Q\ and the 
eigenvalues of pab as 

Qo = (01| PAB |01) + (10| pab |10) = 7 + S, (8) 

Ql = (+-| PAB [+-) + (- + | PAB \~+) =(3 + 5. 

If Alice and Bob measure a different value for Qo an d Qi, 
it gives them a clue that the channel has been tampered 
with. We therefore consider that Qo = Ql — Q- If we 
keep a G [1 - 2Q, 1 - Q] (for Q G [0,1/2]) as a free 
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parameter, the state shared by Alice and Bob depends 
only on a and Q: 

Pab = a |<£> + ) ($ + | + {l-Q-a) |$-) | + (9) 

(1 - Q - a) |*+) <*+| + (2Q - 1 + a) \*~) <*~| . 

Eve has access to a purification Y$> abe) of the state pab- 
The Schmidt purification can be obtained very easily 
from the orthonormal decomposition of pab- 

\*ABE) = M® + )AB \^ + )e + Vl-Q-«|*->Afl I*")*, 

+ ^l-Q-a\^+) AB \^+) E (10) 

+ v /2Q-l + «|*-) AB |*-) B . 

A purification is not unique but we can choose this one 
without loss of generality since any purification of pab 
can be obtained from Y&abe) with a suitable unitary 
acting on Eve's part of the purification. This unitary 
can be appended to the measurement performed by Eve 
after the interactions so we can safely ignore it. 
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QBER on Alice/Bob channel 

FIG. 2. Mutual information Iab and Iae in the BB84 pro- 
tocol against the QBER for several attack models 



B. Optimization of Iae 

To optimize her information, Eve wants to use the 
fact that the basis information will be revealed during 
the post-processing phase of the protocol. Even though 
she doesn't have access to a quantum memory and 
thus can not wait until she has this information to 
perform a measurement on her ancilla, she can choose 
her POVM in such a way that the post-measurement 
information will increase her knowledge on the raw key. 
We use a method similar to the one used in [21] in the 
case of state discrimination where it was argued that 
the most general measurement strategy for Eve was to 
use a POVM {M XoX J aoXl=0 o,oi,io,H with four possible 
outcomes XqXi. When Eve gets the measurement result 
xqXi, she waits for the basis information 9 to be revealed 
so that she can choose xg as her guess. 

The probability that Eve measures a certain value k 
when Alice has obtained the result x in the basis 9 can 
be written as 

p(K = k\X = x,Q = 6) = Tr(M k p E 9 ), (11) 

where p x E 9 represents Eve's part of the purification when 
Alice has obtained the result x after a measurement in 
the basis 9. We can compute this state from pabe = 
\^abe) \*abb\- 

xS = Tr AB [H e \x){x\H e ®1 B ® Ie-Pabe] , ^ 
Pe Tr[H° \x) (x\H0®I b ®Ie.Pabe] ' [ ' 
The optimization problem is now reduced to the compu- 
tation of the optimal POVM that maximizes the mutual 
information Iae- It can be stated as: 



maximize I(X : KQ) 



such that 



Mi = h 



(13) 



We solved this SDP problem numerically with the help 
of CVX [22, 23] and SDPT3 [ ] in MATLAB. In the next 
section we present the results we obtained when we ap- 
plied this method to three different QKD protocols: the 
BB84, six-state and SARG04 QKD protocols. 



VI. OPTIMAL MEMORYLESS ATTACKS FOR 
DIFFERENT QKD PROTOCOLS 

A. Optimal memoryless attacks on BB84 

When applied to the BB84 QKD protocol, our opti- 
mization gives us a numerical representation of the func- 
tion Iae for all Q £ [0, 1/4]. It turns out that this result 
corresponds exactly to the mutual information between 
Alice and Eve that was computed in [17] where Eve was 
allowed to perform a general POVM measurement di- 
rectly on the flying qubit. The two methods agree on the 
optimal memoryless attack and this gives us the expres- 
sion of the mutual information between Alice and Eve as 
it was computed in [17]: 



Iai 



with e(Q) 



A[l + e(Q)]-A[e(Q)] 
2(l + e(Q)) 

1- V8Q(1-2Q) \ 2 
1-4Q j 



(14) 
(15) 



Vi , Mi > 



In FIG. 2, we have plotted the mutual information Iab 
against Iae for three different attack models: individual 
attacks, collective attacks and the optimal memoryless 
attacks on BB84. 

We optimize Eve's strategy on all the accessible param- 
eters: the choice of the purification and the measurement 
setting. Since we consider all the possible purifications 
and use the most general strategy for the measurement, 



5 





QBER in Alice/Bob s channel 



QBER on Alice/Bob channel 



FIG. 3. Mutual information I AB and I AE in the SARG04 
protocol against the QBER for several attack models 



FIG. 4. Mutual information Iab and Iae in the six-state 
protocol against the QBER for several attack models 



the result of our optimization is the optimal attack with- 
out a quantum memory. 

The memoryless attack is always less effective than 
individual attacks and can never provide Eve with full 
information on the raw key: indeed, the mutual infor- 
mation Iae reaches its maximum of 1/2 for Q = 0.25. 
However we can see that the individual attacks (which re- 
quire a quantum memory) do not provide Eve with much 
more information than the optimal memoryless attack. 

It is well known that BB84 is secure against collective 
attacks up to a QBER Q w 11%. If you restrict the 
eavesdropper to a memoryless attack, we find that the 
BB84 protocol is then secure up to a QBER of 15.4%, 
the same value that was computed in [ ]. This is less 
than one point more than the 14.6% corresponding to the 
individual attacks. 



B. SARG04 

The SARG04 protocol [16] uses the same quantum 
states as BB84 but with a different encoding of infor- 
mation. In this protocol, Alice prepares a state H e \x) 
where the classical bit is represented by 8 instead of 
x as in BB84. This means that the states |0) and |1) 
code for the classical bit "0" and the states |+) and 
|— ) code for the classical bit "1". For example, if Alice 
chooses the classical bit "0" and encodes it with the 
state |0), in the sifting phase she can announce (|0) , |+)) 
to Bob. This does not give any information to Eve but 
it gives Bob full information about the classical bit if 
he measured in the basis |+) , |— ) and got the result " — ". 

From the point of view of Eve, the attack is the same 
that the one she does on the BB84 protocol. The dif- 
ference with BB84 lies in the state pab- Indeed, if 
we use the same notations as for BB84 with pab — 



a \<S>+) ($+| + /3 |$") ($"|+7 |*+) 
we can follow [25] and write: 

a+P=l-Q 
1 + 5 = Q 



51*- 



(16) 



so that we get: 



PAB 



(1 



$+)($+ 

3Q 
2 



(i-Q- 

a) + ( 



5Q 
2 



(17) 



1 



After an optimization of the mutual information Iae over 
all the POVMs that Eve can use to measure her ancilla, 
we have computed that a key can be extracted for a 
QBER of less than 17.5% against a memoryless adver- 
sary compared to 14.8% for individual attacks [ ]. The 
mutual information between Alice and Eve for the indi- 
vidual attacks and the memoryless attacks are plotted on 
FIG. 3. 



C. Optimal memoryless attacks on the six-state 
protocol 

The six-state protocol [9, 26] is an extension of the 
BB84 protocol where three bases are used instead of 
only two. In this case, Alice can choose between the 
basis {|0> , |1», {M+p , ^f} or {M> , l°h|I> } to 
encode her state. As a consequence the probability that 
Alice and Bob choose the same basis is only 1/3 com- 
pared to 1/2 in BB84: during the sifting phase 2/3 on the 
bits have to be discarded. The advantage of this protocol 
is that its symmetry simplifies the analysis of its security 
and reduces the amount of information gained by Eve for 
a given QBER compared to BB84. Indeed, it was proven 
in [9] that the six-state protocol can produce a secret key 
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up to a QBER of 12.6% against the most general attacks. 

The optimal memoryless attack on the six-state proto- 
col follows the same procedure as the one described for 
BB84. Without loss of generality, we study the security 
of the six-state protocol against attacks for which the 
state pab is diagonal in the Bell basis and can be writ- 
ten as equation (7). Since Alice and Bob can compute 
a QBER for three different bases, we get one additional 
relation between the diagonal coefficients and the QBER 
compared to equations (8). With the additional infor- 
mation that Alice and Bob measure the same QBER on 
each basis (the contrary would be a proof of tampering) 
we can write: 

PAB = (1 - ^) |<f + ) ($ + | + f I*") <4"| + (18) 

f i* + x* + i+§ i*-><*-i. 

From this expression it is easy to get a purification 

\i>ABE)- 

+^ + ) AB \^ + ) B + ^K) A bK) E - 

It is then possible to optimize the mutual information 
Iae on all the POVMs that Eve can use to measure her 
system. The result of this optimization is plotted on FIG. 
4 along with the mutual information for the collective [9] 
and individual attacks [26] of the six-state protocol. We 
find that a secret key can be extracted for a QBER of less 
than 20.4% against a memoryless adversary compared to 
12.6% and 15.6% for collective and individual attacks 
respectively. 



VII. CONCLUSIONS 

We have shown how to construct the optimal memo- 
ryless attacks on BB84, six-states and SARG04 with an 
optimization of both the interaction U and the POVM 
used by Eve. Our result confirms the optimality of the 
previous bound of 15.4% derived in [17] in the case of 
BB84. We also provide new bounds for the six-state and 
SARG04 protocols against a memoryless adversary: the 
QBER over which no key can be extracted is increased 
to 20.4% and 17.6% respectively. 

In this realistic model of a memoryless adversary, our 
work provides a quantitative estimate of the trade-off 
between the desired confidence on the security of the 
protocol (unconditional security or memoryless security 
model) and the achievable secret key rate. 

Furthermore, the situation where the eavesdropper 
doesn't have access to a quantum memory is an extreme 
case of a more general security model where the eaves- 
dropper is allowed to use a noisy memory. In the future, 
it will be interesting to study how the security bounds 
of QKD protocols evolve with the amount of noise in the 
eavesdropper's quantum memory. This model could also 
be used to prove the security of other protocols like the 
differential phase shift [ ] or continuous variables [28] 
protocols against a memoryless adversary. 
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knowledges support from the European Union through 
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